Alert Number: I-101824-PSA

Just So You Know: Foreign Threat Actors Likely to Use a Variety of Tactics to Develop and Spread Disinformation During 2024 U.S. General Election Cycle


The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) are issuing this announcement to raise awareness of the efforts posed by foreign threat actors to spread disinformation in the lead up to, and likely in the days following, the 2024 U.S. general election. Foreign threat actors are knowingly disseminating false claims and narratives that seek to undermine the American people's confidence in the security and legitimacy of the election process

The FBI and CISA have no information suggesting malicious cyber activity against U.S. election infrastructure has compromised the integrity of voter registration information, prevented an eligible voter from casting a ballot, impacted the integrity of any ballots cast, or disrupted the ability to count votes or transmit unofficial election results in a timely manner. However, foreign adversaries may use false or misleading narratives that indicate otherwise to further their objectives of undermining American public confidence in democratic processes and institutions.

While foreign malign influence operations and disinformation targeting American elections are not new, the proliferation of generative artificial intelligence (AI)-enabled tools is exacerbating pre-existing tactics. Generative AI-enabled tools have lowered the barrier for foreign malicious actors to conduct more sophisticated influence campaigns. We are seeing foreign actors use these tools to develop and distribute more compelling synthetic media messaging campaigns and inauthentic news articles, as well as synthetic pictures and deepfakes (video and audio) at greater speed and scale across numerous US- and foreign-based platforms. These efforts to develop content are designed to undermine voter confidence and to entice unwitting consumers of the information to discuss, share, and amplify the spread of false or misleading narratives.

Foreign threat actors use a variety of methods, often in tandem, to knowingly spread and amplify false or misleading claims about voting processes and results, including false claims that the processes or results have been compromised by malicious cyber activity to cast doubt on the legitimacy or outcome of the vote. These actors use commercial firms, paid influence, witting and unwitting Americans, publicly available and dark web media channels, online journals, messaging applications, spoofed websites, emails, text messages, and fake online personas on U.S. and foreign platforms to spread and amplify these false claims.

In previous public service announcements, the FBI and CISA raised awareness about tactics that could be used in foreign malign influence operations to undermine public confidence in elections. Those announcements highlighted foreign threat actors' use of publicly available voter registration information as "evidence" to falsely claim that a cyber operation compromised voting systems or altered election results. Similarly, foreign threat actors may falsely claim that ransomware or distributed denial of service incidents impacting election offices could impact the security or accuracy of vote casting or counting processes.

Russian Influence Efforts

As part of efforts to combat foreign actors who are seeking to interfere in and influence U.S. elections, the Department of Justice (DOJ), in collaboration with federal partners, has taken a series of actions to degrade Russian threat actors' capabilities to conduct these malign influence campaigns.

In July 2024, the DOJ, in coordination with U.S. and international partners, exposed a covert Russian government-operated, AI-enhanced social media bot farm using specialized software to create fictitious social media personas at scale. In September 2024, the DOJ took steps to disrupt Russian government-directed foreign malign influence campaigns by seizing more than 32 internet domains controlled by Russian government malign influence actors. The DOJ also indicted employees of a Russian state-controlled media outlet who covertly funded and directed a U.S.-based company that deployed nearly $10 million to disseminate pro-Russian narratives to a U.S. audience.

Over the course of these actions, the DOJ seized website domains that Russian malign influence actors created and deliberately designed to look like legitimate mainstream news websites (see below for examples). Many of the seized domains employed "cybersquatting," — a method of registering a domain intended to mimic another person's or company’s domain. The images below are screen captures of articles produced by these Russian government actors. These examples include websites such as "washingtonpost.pm", and "fox-news.in," which are not the real websites of the Washington Post and Fox News

A fake news article purporting to be from the Washington Post A fake news article purporting to be from Fox News
Russian government or proxy-created fake media websites falsely presenting as prominent U.S. news outlets with propaganda messaging and articles to further the threat actors’ intended messaging and goals.

Russian malign influence actors also created fake social media profiles posing as U.S. citizens to direct users to these fake news websites and purchased social media advertisements to drive traffic to the specific fake articles on the fake news site. The Appendix at the end of this document provides a compilation of websites that the FBI, Department of State, or Department of Treasury have previously publicly attributed to Russian malign influence actors, as well as websites and social media accounts that the Intelligence Community has attributed to Russian malign influence actors.

Iranian Influence Efforts

In addition to Russia, Iran is also undertaking influence operations as it has in past election cycles, including through its cyber apparatus, targeting current and former U.S. government officials, members of the media, nongovernmental organizations, and individuals associated with U.S. political campaigns. Iran is probably using generative AI and inauthentic personas to hide its hand and attempt to sow discord during the 2024 U.S. election cycle. On September 27, 2024, the DOJ charged three Iranian nationals identified as employees of the Islamic Revolutionary Guard Corps (IRGC), for a wide-ranging hacking conspiracy targeting current and former U.S. officials. The three IRGC employees are alleged to have conspired to hack into accounts of current and former U.S. officials, members of the media, nongovernmental organizations, and individuals associated with U.S. political campaigns. That indictment further alleged that in June 2024, the IRGC conspirators engaged in a "hack-and-leak" operation, in which they sought to weaponize campaign material stolen from a U.S. Presidential campaign. Additionally, the FBI, U.S. Cyber Command, the Department of Treasury, and the United Kingdom's National Cyber Security Centre have previously disseminated a Joint Cybersecurity Advisory that includes a list of malicious domains used by cyber actors working on behalf of the IRGC, which is linked below. We have also seen Iranian actors use similar tactics as Russian malign influence actors where they create inauthentic news sites posing as a legitimate media organization (see example below).

A fake news article purporting to be from an inauthentic news site called Savannah Time A fake news article purporting to be from an inauthentic news site called Westland Sun
Iranian government or proxy-created website presenting as a fake local news organization, which uses propaganda messaging and articles to further Iran's intended messaging and goals.

Recommendations

We urge the American public to critically evaluate the sources of the information they consume and to seek out reliable and verified information from trusted sources, such as state and local election officials. Specifically, we recommend the American public take the following precautions:

  • Educate yourself and others on the tactics of foreign malign influence operations, including the use of generative AI and deep-fakes, and their goal to undermine American public confidence in U.S. democratic institutions and processes. Greater public awareness may help limit the spread of foreign malign influence campaigns.
  • Seek out information from trusted, official sources, such as state and local election officials, and verify reported claims through trusted, official sources before sharing such information.
  • To better understand what you are viewing, know the media and social media company policies and citation rules to denote or disclose content created or doctored with generative AI tools. When viewing content, consider who produced it and look for labels that may identify the content as AI-generated.
  • Consider reporting information concerning suspicious or criminal activity, to include the distribution of knowingly false information regarding the time, place, or manner of elections designed to deprive individuals of their right to vote, to their local FBI field office.

Role of the FBI and CISA in Elections

The FBI and CISA coordinate closely with federal,state, and local election partners and provide services and information to safeguard U.S. voting processes and maintain the resilience of U.S. elections. The FBI, alongside DOJ prosecutors, is responsible for investigating and prosecuting election crimes, foreign malign influence operations, and malicious cyber activity targeting election infrastructure and other U.S. democratic institutions. The FBI does not investigate, collect, or maintain information on U.S. persons solely for the purpose of monitoring activities protected by the First Amendment. CISA, as the Sector Risk Management Agency for Election Infrastructure, is the federal government lead for working with critical infrastructure owners and operators, including the election infrastructure community, to ensure the security and resilience of election infrastructure from physical and cyber threats.

Victim Reporting and Additional Information

We encourage the public to report information concerning suspicious or criminal activity, to include the distribution of knowingly false information regarding the time, place, or manner of elections designed to deprive individuals of their right to vote, to their local FBI field office (www.fbi.gov/contact-us/field).

For additional assistance to include common terms and best practices, such as media literacy, please visit the following websites:

Other 2024 Election Cycle FBI and CISA PSAs

Federal Government Actions to Disrupt Foreign Malign Influence Operations

ODNI Election Security Updates

  1. Early October 2024
  2. Mid-September 2024
  3. Early September 2024
  4. Late July 2024
  5. Early July 2024

Appendix A: Websites and Accounts Operated by Russian Malign Influence Actors

The following websites the U.S. Government either attributes to or assesses are highly likely to be operated by Russian malign influence actors. Websites denoted with an asterisk have previously publicly attributed to Russian malign influence actors by the FBI, Department of State, or Department of Treasury.
  • 50statesoflie.com*
  • uschina.online*
  • washingtonpost.ltd*
  • 50statesoflie.media*
  • uschina.press*
  • usareally.com*
  • acrosstheline.press*
  • warfareinsider.us*
  • welt.ltd*
  • artichoc.io*
  • waronfakes.com*
  • welt.ws*
  • bild.work*
  • washingtonpost.pm*
  • welt.media*
  • electionwatch.io*
  • delfi.top*
  • spiegel.work*
  • electionwatch.live*
  • afrinz.ru*
  • nd-aktuell.net*
  • faz.ltd*
  • africanstream.media*
  • nd-aktuell.pro*
  • forward.pw*
  • americanfront.info*
  • nd-aktuell.co*
  • fox-news.in*
  • vip-news.org*
  • obozrevatel.ltd*
  • grenzezank.com*
  • begemot.media*
  • milliyet.com.co*
  • holylandherald.com*
  • syncreticstudies.com*
  • albayan.me*
  • honeymoney.info*
  • eramedia.com*
  • gulfnews.ltd*
  • honeymoney.press*
  • fortruss.blogspot.com*
  • faz.agency*
  • infobrics.org*
  • geopolitica.ru*
  • sueddeutsche.ltd*
  • lemonde.ltd*
  • globalresearch.ca*
  • sueddeutsche.cc*
  • leparisien.ltd*
  • inforos.ru*
  • tagesspiegel.ltd*
  • levinaigre.net*
  • anticrisis.cc*
  • fraiesvolk.com*
  • lexomnium.com*
  • webkamerton.ru*
  • fraiepozition.store*
  • liesofwallstreet.com*
  • katehon.com*
  • fraiepozition.site*
  • liesofwallstreet.io*
  • journal-neo.org*
  • bild.bz*
  • meisterurian.io*
  • novaresistencia.org*
  • lefigaro.me*
  • mypride.press*
  • odnarodyna.org*
  • 70-putin-freunde.de*
  • oneworld.press*
  • onmedia.io*
  • freikorps.press*
  • pravda-ua.com*
  • openrevolt.info*
  • jfriecorp.press*
  • rbk.media*
  • orientalreview.org*
  • sieben-fragen-putin.de*
  • rrn.media*
  • thered.stream*
  • tonline.life*
  • rrn.world*
  • ritmeurasia.org*
  • tonline.today*
  • shadowwatch.us*
  • rt.com*
  • t-onlinr.life*
  • spicyconspiracy.info*
  • ruptly.tv*
  • t-onlinr.live*
  • spicyconspiracy.io*
  • riafan.ru*
  • t-onlinr.today*
  • spiegel.agency*
  • fznc.world*
  • delfi.today*
  • sueddeutsche.co*
  • strategic-culture.org*
  • spiegel.fun*
  • tagesspiegel.co*
  • unitedworldint.com*
  • spiegel.today*
  • tribunalukraine.info*
  • tsargrad.tv*
  • winter-is-comming.de*
  • truthgate.us*
  • bild.llc*
  • reuters.cfd*
  • Ukrlm.info*
  • bild.ws*
  • reuters.cyou*
  • bild.vip*
  • repubblica.icu*
  • repubblica.world*
  • socialharmony.de*
  • manabalss.li*
  • musubalss.org*
  • spiegel.ink*
  • sueddeutsche.online*
  • dailymail.cam*
  • dailymail.cfd*
  • delfi.life*
  • repubblica.life*
  • spiegeli.life*
  • spiegeli.live*
  • spiegeli.today*
  • reuters.sbs*
  • blld.live*
  • itcb.life*
  • dekommnt.live*
  • ukcommunity.vip*
  • spiegelr.live*,
  • spiegelr.today*
  • spiegelr.life*
  • 50StatesOfLie <X account>
  • t-onlinl.life*
  • foxnews.cx*
  • AcrossTheLine11 <X account>
  • t-onlinl.live*
  • inforos.ru*
  • alhiwar.cc
  • alhiwar.me
  • t-onlinl.today*
  • infosco.org*
  • bostontimes.org
  • sueddeutsche.life*
  • southfront.org
  • besuchszweck.org
  • sueddeutsche.today*
  • allons-y.social
  • brennende_frage <X account>
  • sueddeutsche.site*
  • brennendefrage.com
  • brennendefrage.cc
  • atlanta-observer.com
  • alternativereport.us
  • carsondispatch.com
  • atlantabeacon.org
  • candidat.news
  • centernewscentral.com
  • antifashist.com
  • candidat_news <X account>
  • centerpointbeacon.com
  • american-freedom.org
  • capitolpulse.org
  • civiccentury.org
  • civiccommentary.org
  • conservativecompass.org
  • conservativecontext.com
  • civiccorner.org
  • conservativecorridor.com
  • democracydive.com
  • civiccreed.com
  • conservativecourier.org
  • daybreakdigest.org
  • civiccurrent.com
  • cropmarketchronicles.cc
  • derrattenfanger.io
  • civiccurve.com
  • cropmarketchronicles.us
  • derrattenfanger.net
  • conservativecamp.org
  • dc-free-press.org
  • DragonflyTimes <X account>
  • conservativecatch.org
  • deintelligenz.com
  • epochpost.org
  • conservativechannel.org
  • deintelligenz.io
  • flagstaffpost.com
  • conservativecircuit.com
  • democracydepth.com
  • flyoverbeacon.com
  • derglaube.online
  • democracydrive.org
  • franceeteu.today
  • derleitstern.cc
  • derbayerischelowe.info
  • franceeteu <X account>
  • derleitstern.com
  • derglaube.com
  • freedomfacade.com
  • arbeitspause.org
  • freedomfixture.com
  • freedomforge.info
  • freedomfoundry.info
  • freemediaforum.info
  • gopguardian.com
  • governancegaze.com
  • grunehummel.com
  • GruneHummel <facebook Name>
  • hauynescherben.net
  • hauynescherben.press
  • hauynescherben <X account>
  • heartlandharbor.org
  • heartlandhaven.org
  • heartlandheadlines.net
  • heartland-inquirer.org
  • honestcitizens.org
  • houstonpost.org
  • il_corrispondente.com_ <instagram Name>
  • il-corrispondente.com
  • rybar <telegram Name>
  • corrispondente.io
  • interventionist.cc
  • interventionist.com
  • interventionist.us
  • Intrvntnst <X account>
  • kaputteampel.cc
  • kaputteampel.com
  • KaputteAmpel <X account>
  • kbsf-tv.com
  • lansingtribune.org
  • la-sante.info
  • laterrasse.io
  • laterrasse.online
  • leaderledger.net
  • lebelligerant.com
  • lebelligerant.io
  • lebelligerant <X account>
  • le-continent.com
  • lesfrontieres.media
  • lesfrontieres <X
  • southfront.press
  • lavirgule.news
  • lesifflet.cc
  • lesifflet.net
  • LexOmnium <X account>
  • libertylagoon.org
  • libertylantern.org
  • libertylaunch.org
  • libertylectern.org
  • libertypressnews.com
  • libertyvoice.info
  • lonestarcrier.com
  • madison-gazette.org
  • maplechronicles <telegram Name>
  • meriblood <telegram Name>
  • miastagebuch.com
  • nationalcrier.com
  • nationalmatters.org
  • nationalnarrative.org
  • nationnotebook.com
  • newscenterpress.org
  • news-front.su
  • strategic-culture.su
  • orientalreview.su
  • journal-neo.su
  • noticiasbravas.com
  • notrepays.today
  • observateurcontinental.Fr
  • omnam.life
  • oraclenews.org
  • partyperspective.com
  • patrioticpage.com
  • patrioticparade.com
  • patrioticpioneer.com
  • patrioticpulse.info
  • phoenixpatriot.org
  • policypaddock.com
  • policypassage.com
  • policypatch.com
  • policypath.org
  • policypeak.org
  • policyplatform.info
  • policyporch.org
  • politicalpioneer.com
  • politicalplot.org
  • politicalporch.com
  • politicostream.com
  • politnavigator.news
  • politnavigator <telegram Name>
  • politnavigator <X account>
  • politnavigator <youTube Name>
  • polskikompas.com
  • pulsepress.org
  • purplestatepost.com
  • raleigh-herald.com
  • Rattenfangernet <X account>
  • red-blue-tribune.com
  • redstategazette.com
  • redstatereport.net
  • republicrally.com
  • republicrange.com
  • republicregard.com
  • republicreview.net
  • republicripple.com
  • republicroot.com
  • republicroots.org
  • republicrundown.com
  • rightrealm.net
  • rightresonance.org
  • rightrevival.org
  • rightrundown.com
  • senatesight.com
  • signaldaily.org
  • silverstatesignal.org
  • southfronteng <telegram account>
  • southfroneng <X account>
  • SouthFrontEnThree <facebook>
  • statestage.org
  • thearizonaobserver.com
  • tribunetimes.org
  • unitytrend.com
  • ULM_Info <X account>
  • TruthGateOff <X account>
  • voice-of,europe.eu
  • ukraine-inc.info
  • vanguardviews.com
  • votervista.net
  • bild.asia
  • spiegel.pro
  • TEXASvsUSA <telegram Name>
  • topicdujour <telegram account>
  • dailymail.top
  • TEXASvsUSA <X account>
  • interventionist.io
  • SpConspiracy <X Name>
  • wanderfalke.net
  • facts.matter.me
  • faz.life
  • naebc.com
  • sueddeutsche.me
  • scopestory.com
  • rybar_force <X account>
  • rightreview.org

Appendix B: Websites Operated by Iranian Malign Influence Actors

The following websites the U.S. Government either attributes to or assesses are highly likely to be operated by Iranian malign influence actors.
  • Evenpolitics.com
  • Savannahtime.com
  • Westlandsun.com
  • Niothinker.com
  • Afromajority.com
  • Al-saria.com